b'Strategic Asset Management Program Controls Design Is Generally\n             Sound, But Improvements Can Be Made\n\n\n                Final Audit Report No. 105-2010\n\n\n                       January 14, 2011\n\n\n\n\n                      Audit Report Issued By:\n\n          NATIONAL RAILROAD PASSENGER CORPORATION\n                OFFICE OF INSPECTOR GENERAL\n                       10 G STREET, N.E.\n                    WASHINGTON, DC 20002\n\x0cDate January 14, 2011                              From David R. Warren, Assistant IG, Audit\n To DJ Stadtler, CFO                         Department Office of Inspector General\n                                                         Strategic Asset Management Program\n                                                         Controls Design Is Generally Sound, But\n     Ed Trainor, CIO                             Subject\n                                                         Improvements Can Be Made\n                                                         Report No. 105-2010\n                                                      cc Jeff Martin, Chief Logistics Officer\n                                                         Frank Vacca, Chief Engineer\n                                                         Mario Bergeron, CMO\n                                                         Kay Duggan, GIO-ERP\n                                                         Don Ford, Senior ERP Director\n                                                         Jessica Scritchfield, Internal Controls Officer\n\n    Enclosed is our final report on control design issues that came to our attention while we were\n    conducting the audit of Strategic Asset Management (SAM) program\xe2\x80\x99s implementation efforts.\n    Our audit objective was to review SAM program\xe2\x80\x99s internal controls design to determine whether\n    it adequately identified and mitigated internal control risks.\n\n    Management\xe2\x80\x99s response from the Amtrak Chief Financial Officer to our draft report is in the\n    attached Exhibit E. Management agreed with all our recommendations and provided planned\n    actions to implement our recommendations.\n\n    Thank you for your cooperation during the course of this audit. If you have any questions, you\n    can contact Vipul Doshi, Senior Director, at (202) 906-4619 or by email at doshiv@amtrak.com,\n    or me at (202) 906-4742 or by email at david.warren@amtrak.com.\n\n\n\n\n    ___________________________________\n    David R. Warren\n    Assistant Inspector General for Audit\n\n\n    Attachment\n\x0c       Strategic Asset Management Program Controls Design Is Generally Sound, But\n                              Improvements Can Be Made\n                                  Report No. 105-2010\n\n                                 EXECUTIVE SUMMARY\n\n                                   What OIG Found\n     WHY WE CONDUCTED\n         THIS AUDIT\n                                   The design of the automated controls to mitigate financial risks\n    Amtrak\xe2\x80\x99s Strategic Asset       in the first SAM segment (R1a) to be implemented is generally\n    Management (SAM)               sound. However, we found gaps in the design of the controls\n    program is estimated to        that do not fully mitigate the financial and operational risks.\n    cost as much as $380           These gaps put Amtrak at risk of not fully realizing the\n    million. The goal is to        potential benefits from SAM. In particular, a lack of adequate\n    transform key business         controls can lead to inaccurate financial reporting,\n    operations such as finance     vulnerability to fraud, and inefficient business operations.\n    and logistics. SAM will\n    replace or enhance many        We reviewed the controls design that had been developed for\n    manual and automated           24 out of 139 business processes. Overall, our work showed\n    systems.                       that the controls design for the 24 business processes was\n                                   generally sound. However, we found 22 areas where there\n    Given SAM\xe2\x80\x99s cost and           were opportunities to make improvements within those 24\n    impact on business             business processes. For example,\n    operations, the OIG            \xef\x82\xb7   Journal entries will be processed manually leaving the\n    reviewed the SAM                   process vulnerable to the risk of error and rework.\n    program\xe2\x80\x99s internal\n    controls design to             \xef\x82\xb7   Controls were not documented to avoid risk of\n    determine whether it               unauthorized purchases.\n    adequately identified and\n                                   \xef\x82\xb7   Controls over certain physical inventory were not in place\n    mitigated internal control\n                                       leaving the inventory vulnerable to undetected loss or theft.\n    risks.\n                                   \xef\x82\xb7   Controls over requisitions related to closed or cancelled\n                                       work orders were not in place to mitigate the risk of\n    unnecessary purchases.\n\xef\x82\xb7   Controls to identify an alternate supply source before removing a working part from one piece\n    of equipment to repair nonworking piece of equipment were not in place thereby increasing the\n    risk of delay in bringing the equipment back in service.\n\nWe also found that the scope of the controls design work was limited to automated controls in the\nfinance and materials management business areas, and it did not cover other SAM impacted\nbusiness areas of procurement, mechanical, and engineering. In addition, we found that the\nmanual control designs and controls designs to address operational risks have not been fully\ndeveloped for all SAM impacted business areas. Reliable financial and operational controls are\n\x0c       Strategic Asset Management Program Controls Design Is Generally Sound, But\n                              Improvements Can Be Made\n                                  Report No. 105-2010\n\n\nneeded in all affected business areas to ensure reliable financial reporting and efficient business\noperations; and to prevent fraud.\n\nIn summary, we are recommending that Amtrak: 1) complete certain automated control design\ntasks before the April 2011 R1a implementation, and 2) expand the scope of the control design\nprocess to include controls that fully address financial and operational risks in all affected business\nareas.\n\nIn commenting on a draft of this report, management agreed with all our recommendations and has\nassigned responsibilities to appropriate individuals to take timely actions to address our\nrecommendations. While management has expressed some concern about resource constraints,\nthey are exploring various options to implement our recommendations. We are encouraged by\nmanagement\xe2\x80\x99s planned actions, and commitment to improve internal controls. If properly\nimplemented, the actions identified by management address our recommendations.\n\x0c            Strategic Asset Management Program Controls Design Is Generally Sound, But\n                                   Improvements Can Be Made\n                                       Report No. 105-2010\n\n                                                            TABLE OF CONTENTS\n\nBACKGROUND ................................................................................. 1\n\nRESULTS OF AUDIT ........................................................................ 3\n\n       OPPORTUNITIES EXIST TO IMPROVE THE CONTROLS DESIGN PROCESS . . . . . 3\n\n              Most Control Designs Reviewed Were Sound, But Some Can Be Improved . . . . . . . . . . . . . . . 3\n\n              The Scope Of The SAM Controls Design Process Effort Is Not Comprehensive . . . . . . . . . . . 7\n\nCONCLUSION .................................................................................. 9\n\nR E C O M M E N D A T I O N S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10\n\nM A N A G E M E N T C O M M E N T S A N D A U D I T R E S P O N S E . . . . . . . . . . . . . . . . . . . . . . . 11\n\nE X H I B I T A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12\n\n   Scope and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12\n\nE X H I B I T B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15\n\n   OIG Analysis of SAM R1a Control Weaknesses and Recommendations . . . . . . . . . . . . . . . . . . . . 15\n\nE X H I B I T C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27\n\n     Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27\n\nE X H I B I T D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28\n\n   Audit Team Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28\n\nE X H I B I T E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29\n\n   Management Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29\n\nE X H I B I T F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34\n\n   OIG Mission and Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34\n\x0c       Strategic Asset Management Program Controls Design Is Generally Sound, But\n                              Improvements Can Be Made\n                                  Report No. 105-2010\n\n\n                                           BACKGROUND\n\n\nIn 2008, Amtrak launched a company-wide, multi-year effort called the Strategic Asset\nManagement (SAM) program to transform key operational, financial, supply chain, and human\nresource processes by replacing or enhancing many of its manual and automated systems with\nnew systems and business processes. The critical automated systems in the new environment will\nbe SAP Enterprise Resource Planning (ERP) 1 , Maximo Asset Management 2 , and Ariba 3\nsoftware. The Enterprise Strategic Systems Steering Committee (ESSSC) consisting of senior\nexecutives provides strategic guidance to the SAM program, and key program decisions are\nguided by the three Sponsors, i.e. Chief Financial Officer (CFO), Chief Operating Officer\n(COO) 4 and Chief Information Officer (CIO). Amtrak officials estimate that the SAM program\nwill cost up to $380 million.\n\nThe program\xe2\x80\x99s overall objective is to transform key operations and systems of the company; to\nimplement best practices; integrate business processes; and provide timely information for\nfinancial reporting, management decision-making, and optimum operations performance. The\nprogram is anticipated to also help Amtrak meet the accounting requirements mandated by the\nPassenger Rail Investment and Improvement Act of 2008 (PRIIA) 5 . Another envisioned benefit\nfrom SAM is improving the information flow and provide better information for decision-\nmaking by breaking down information-sharing barriers among departments.\n\nAmtrak program documents show that the SAM program is divided into three distinct\nimplementation segments. SAM is currently in the first segment, generally referred to as Release\n1a or R1a. The R1a segment will reengineer business processes and provide new automated\ncapabilities for most finance and materials management business processes using SAP and\n\n\n1\n  SAP (ERP) software can process enterprise-wide data from various business areas such as finance, procurement,\n  payroll, and sales and distribution. Amtrak\xe2\x80\x99s human resources and payroll functions are currently processed in\n  SAP. SAM Release 1a will add most of the finance and materials management functions in SAP.\n2\n  Maximo Asset Management software unifies comprehensive asset life cycle and maintenance management on a\n  single automated database. Amtrak\xe2\x80\x99s Engineering department is using Maximo to manage Amtrak\xe2\x80\x99s rail\n  infrastructure.\n3\n  Ariba software specializes in many procurement business functions, such as spend management, contract\n  management and supplier management. Amtrak is currently using Ariba for purchase requisitioning, travel and\n  expense, procurement cards, and payment requests.\n4\n  Amtrak abolished the position of Chief Operating Officer (COO) effective October 22, 2010.\n5\n  Public Law No. 110-432, Division B, enacted on October 16, 2008.\n\n\n\n\n                                                        1\n\x0c       Strategic Asset Management Program Controls Design Is Generally Sound, But\n                              Improvements Can Be Made\n                                  Report No. 105-2010\n\nPowerPlant 6 software. These are critical business activities for Amtrak. In FY 2009, Amtrak\nfinancial activities included $3.5 billion in expenses and $2.35 billion in revenues. These systems\nwill control financial reporting of revenues and expenses. On September 30, 2009, Materials\nManagement was responsible for $184 million in materials and supplies. Likewise these systems\nwill be controlling reporting and management of this inventory. The R1a segment will also\nenhance procurement work process capabilities using existing Ariba software. The SAM R1a\nsegment is scheduled to be implemented in April 2011.\n\nIn July 2008, Amtrak contracted with Accenture LLP (\xe2\x80\x9cAccenture\xe2\x80\x9d) to support the SAM R1a\nimplementation 7 . With Accenture\xe2\x80\x99s support, Amtrak developed Business Process Definition\n(BPD) documents for all business processes impacted by the SAM R1a segment. The purpose of\na BPD is to document existing or reengineered business processes so that manual and automated\nsystems can be designed and configured accordingly. Among other things, each BPD provides\nflowcharts, risk and control objectives, and Key Performance Indicators (KPIs) 8 . Accenture\nsubcontracted the internal controls design work to Protiviti Inc. (\xe2\x80\x9cProtiviti\xe2\x80\x9d) to review BPDs,\nidentify risks in the process design, and develop controls to mitigate the risks. The purpose of the\ninternal controls design work is to help ensure that financial reporting is accurate; and efficient\nand effective business operations are achieved.\n\nSystem controls are typically described as financial that ensure the accuracy of financial data, or\noperational that ensure the efficiency and effectiveness of business operations. This audit focuses\non the adequacy of the process for designing financial and operational controls for the SAM\nprogram.\n\nIn early 2011, we will report the results of our overall audit of SAM strategic planning and\nprogram management.\n\nObjective\n\nThe reporting objective for this report is to review the SAM program\xe2\x80\x99s internal controls design to\ndetermine whether it adequately identified and mitigated internal control risks. To review the\nadequacy of controls design, we reviewed the list of BPDs that were developed for SAM R1a\n\n6\n  PowerPlant software will record and manage transactions related to Amtrak\xe2\x80\x99s assets. Amtrak bought PowerPlant\n  software because of its capability in group depreciation. PowerPlant will apply depreciation to Amtrak\xe2\x80\x99s assets\n  and pass asset valuation to SAP for recording.\n7\n  The contract between Amtrak and Accenture LLP was signed on July 8, 2008.\n8\n  Key Performance Indicators (KPIs) are different performance metrics to help evaluate the performance of a\n   process.\n\n\n\n\n                                                         2\n\x0c      Strategic Asset Management Program Controls Design Is Generally Sound, But\n                             Improvements Can Be Made\n                                 Report No. 105-2010\n\nand assessed their criticality based on the business processes being addressed. For our detailed\nanalysis, we selected a judgmental sample of 24 out of the 139 critical business processes, as of\nNovember 8, 2010. We made this judgment based on our discussions with the process owners\nand SAM subject matter experts (SMEs), our professional knowledge, and opportunities to\nimplement industry best practices.\n\nFor a detailed discussion of the audit scope and methodology, see Exhibit A. For OIG analysis of\nSAM R1a control weaknesses and recommendations, see Exhibit B. For a list of acronyms used,\nsee Exhibit C. For the audit team members, see Exhibit D. For management response, see Exhibit\nE. For the Amtrak OIG Mission and Contact Information, see Exhibit F.\n\n\n\n\n                                 RESULTS OF AUDIT\n\nOPPORTUNITIES EXIST TO IMPROVE THE CONTROLS DESIGN PROCESS\n\nThe design of the automated controls to cover financial risk related to the R1a segment, which\ninvolves implementing SAP and PowerPlant, is generally sound. However, certain gaps in the\ndesign process will prevent Amtrak from fully realizing the potential benefits from improving\nthe efficiency and effectiveness of business operations. Further, unaddressed control weaknesses\nleave Amtrak vulnerable to business operation breakdowns that could adversely affect operating\nexpenses and revenues. We identified opportunities to improve existing controls, and expand the\nscope of the control design process to include manual controls and controls to address\noperational risks in all affected business areas. If effectively implemented, these control\nrecommendations should improve data reliability and integrity, and help reduce operating costs.\n\n\nMost Control Designs Reviewed Were Sound, But Some Can Be Improved.\n\nOverall, our work showed that the controls design for the 24 BPDs we reviewed was generally\nsound. However, we found instances where the review could have been more comprehensive.\nWe identified opportunities to improve controls in 22 areas within these 24 business processes.\nThese areas for improvement address both financial and operational risks. We categorized 5 of\nthe areas as high risk and 17 as medium risk. We categorized the risk based on the likelihood and\nimpact of a control failure on business operations.\n\n\n\n\n                                                3\n\x0c       Strategic Asset Management Program Controls Design Is Generally Sound, But\n                              Improvements Can Be Made\n                                  Report No. 105-2010\n\nSpecifically, control failures could potentially leave Amtrak vulnerable to inaccurate financial\nreporting and business operation interruptions that could adversely affect operating expenses and\nrevenues.\n\nThe five high-risk control weaknesses identified include:\n   \xef\x82\xb7    Manual journal entries (Financial Risk). In one case, the manual processing of\n        financial journal entries does not provide adequate accountability and reliability over the\n        creation, approval, and accuracy of journal entries. Currently, journal entries are created\n        on paper and approved using emails before they are entered into the existing financial\n        system, the Financial Information System (FIS). This process will continue to be the\n        same except that the journal entries will be manually entered into SAP. Manual entries\n        increase the risk of unauthorized entries. Automated approval and posting of journal\n        entries is a best practice to reduce the risk of error and rework.\n\n   \xef\x82\xb7    Controls were not documented for certain procurement activities (Financial Risk).\n        In three cases, controls were not documented to ensure that the approval hierarchy in\n        Ariba for new or modified procurement contracts and purchase orders was correctly\n        configured. Also, controls were not documented to ensure that only authorized personnel\n        can have access to create and maintain purchase orders. If such controls are not\n        documented and tested, the approval hierarchy may not be correctly configured to ensure\n        that purchase orders are approved according to Amtrak\xe2\x80\x99s \xe2\x80\x9cPurchase, Expenditure, and\n        Control Approval Authorizations policy 11.39.0.\xe2\x80\x9d This creates a risk of unauthorized\n        purchases.\n\n   \xef\x82\xb7    Control was not documented related to periodic review of physical inventory\n        (Financial Risk). In one case, control was not documented to ensure periodic review of\n        the physical inventory list to identify locations where inventory counting was not\n        performed. The value of the physical inventory held by the business may be misstated if\n        there is a difference between the book and the physical inventory values. Inaccurate\n        records also leave the inventory vulnerable to undetected loss or theft.\n\nThe seventeen medium-risk control weaknesses identified include:\n   \xef\x82\xb7    Physical and book inventory may not be reconciled in a reasonable time (Financial Risk).\n        Untimely reconciliation increases the risk of undetected inventory loss or theft, and may\n        result in inappropriate modification of recorded counts of physical inventory and\n\n\n\n\n                                                 4\n\x0c          Strategic Asset Management Program Controls Design Is Generally Sound, But\n                                 Improvements Can Be Made\n                                     Report No. 105-2010\n\n           incorrect inventory valuation. We previously reported on this issue in Amtrak OIG Audit\n           Report, #217-2008 "Annual Maintenance of Way Inventory" dated December 23, 2008.\n\n      \xef\x82\xb7    Requisitions corresponding to closed or cancelled work orders are not being deleted in\n           Spear 9 (Operational Risk). If requisitions are not deleted in a timely manner, Amtrak\n           could make unnecessary purchases.\n\n      \xef\x82\xb7    Completed work orders in Maximo may not be closed in a timely manner (Operational\n           Risk). Open, completed work orders reserve unused inventory that can be used on other\n           work orders. This may cause Amtrak to procure unnecessary materials.\n\n      \xef\x82\xb7    No requirement exists to periodically review reports so that a sufficient quantity of\n           materials is available when needed (Operational Risk). Without this control, cars and\n           locomotives can remain out of service for extended time, thus reducing operating\n           efficiency and effectiveness.\n\n      \xef\x82\xb7    There is no established timeframe for quality inspection of materials received into\n           inventory (Operational Risk). Materials remaining in quality inspection for unnecessarily\n           long periods of time can delay maintenance.\n\n      \xef\x82\xb7    Repair and return transactions may not be appropriately configured (Financial Risk).\n           Inventory value in the General Ledger will be misstated if inventory is not recorded or is\n           recorded incorrectly.\n\n      \xef\x82\xb7    Before removing a working part from one piece of equipment to repair another, alternate\n           sources of inventory parts may not be identified and work orders may not be created to\n           replenish the removed part (Operational Risk). Removing parts is a more costly process\n           than using inventory stock, and increases maintenance personnel costs. It can result in\n           breakage during the removal process, and can cause delays in bringing the originally\n           working equipment back in service.\n\n      \xef\x82\xb7    Problematic invoices that are held for payment may not be processed in a timely manner\n           (Operational Risk). Late payment of invoices will result in penalties.\n\n\n\n9\n    Spear is the asset management software to help manage maintenance of train cars and locomotives. Amtrak\xe2\x80\x99s\n    Mechanical department is using Spear to record maintenance of train equipments.\n\n\n\n\n                                                         5\n\x0c         Strategic Asset Management Program Controls Design Is Generally Sound, But\n                                Improvements Can Be Made\n                                    Report No. 105-2010\n\n     \xef\x82\xb7    Controls to help identify duplicate and fictitious vendors and vendor invoices are weak\n          (Financial Risk). A weak control in this area leaves the company vulnerable to duplicate\n          payments and undetected fraud.\n\n     \xef\x82\xb7    Control is not documented to ensure that invoices for service purchase orders over\n          $10,000 will not be paid until approved (Financial Risk). If business process design\n          documents are not written clearly and consistently, the desired controls may not be\n          implemented or implemented incorrectly.\n\n     Table 1 below summarizes the 22 control weaknesses we identified by type, business area,\n     high (H) and medium (M) risk level, and financial (F) and operational (O) impact. During the\n     audit, we discussed the results of our work with responsible Amtrak officials. As a result,\n     SAM implementation team members have either taken or are taking actions to address some\n     of the concerns we raised.\n\n               Table 1 \xe2\x80\x93 Control Weaknesses by Control Type, Business Area, and Risk\n\n                                                                  Business Areas *\n Control Type                                                                                Total by           Total\n                           FI       MM               PR                ME           EN\n                                                                                             risk level      by impact\nAutomated              H        M    H    M     H         M       H     M       H     M      H      M         F      O\nConfiguration          1        5    0     1     2        0        0        2   0        0   3        8       8          3\n10\n\nSensitive              0        0    0     0     1        0        0        0   0        0   1        0       1          0\nAccess 11\nManual\nDetective 12           0        1    1     2     0        0        0        1   0        1   1        5       2          4\nProcess 13             0        0    0     2     0        1        0        1   0        0   0        4       1          3\nTotal                  1        6    1     5     3        1        0        4   0        1   5        17      12         10\n                                                                                    Total        22                 22\n* FI=Finance, MM=Materials Management, PR=Procurement, ME=Mechanical, EN=Engineering,\n H=High Risk, M=Medium Risk, F=Financial Risk, O=Operational Risk\n\nSource: OIG analysis of Amtrak data\n\n\n10\n   Configuration controls ensure that the application is set up appropriately to achieve the required capability.\n11\n   Sensitive Access controls ensure that sensitive transactions are accessed only by authorized individuals.\n12\n   Detective controls detect errors and irregularities that could not be prevented but can be rectified.\n13\n   Process controls ensure that manual business processes are designed correctly to provide desired outputs.\n\n\n\n\n                                                              6\n\x0c       Strategic Asset Management Program Controls Design Is Generally Sound, But\n                              Improvements Can Be Made\n                                  Report No. 105-2010\n\nFor details on the 22 control weaknesses we found and our specific recommendations to address\nthem, see Exhibit B.\n\n\nThe Scope Of The SAM Controls Design Process Effort Is Not Comprehensive.\n\nWe also analyzed the overall scope of the SAM R1a internal controls design work for all\nbusiness processes impacted by SAM. We found that the scope of the SAM Controls team was\nlimited to designing automated controls to address financial risks in the business areas of finance\nand materials management, and it did not include designing controls for the other impacted\nbusiness areas of procurement, mechanical and engineering. In addition, we found that the\nmanual control designs (detective and process controls) and controls designs to address\noperational risks have not been fully developed for all impacted business areas, i.e. finance,\nmaterials management, procurement, mechanical and engineering.\n\nWhile there are 38 systems that will interface with SAP as part of the SAM R1a segment, the\nfollowing are key systems for the impacted business areas:\n    \xef\x82\xb7 SAP and PowerPlant for finance\n    \xef\x82\xb7 SAP for materials management\n    \xef\x82\xb7 Ariba for procurement\n    \xef\x82\xb7 Spear for mechanical\n    \xef\x82\xb7 Maximo for engineering\n\n\nThe weaknesses we identified are described below and summarized in Table 2 on page 9:\n\nControls Coverage to Address Financial Risks\n   \xef\x82\xb7    Automated controls are designed to address financial risks in SAP, Maximo, and\n        PowerPlant. SAM is adding or changing the business processes in Ariba, Maximo,\n        and Spear. However, no plans exist to document and test automated controls to\n        address financial risks in Ariba and Spear for the new processes created by SAM.\n        Integrity of information in multiple software programs cannot be ensured if controls\n        within all impacted software are not documented and tested. For example, SAM is\n        developing an automated approval workflow in Ariba for procurement contracts and\n        purchase orders, which are currently approved manually. Inappropriate configuration of\n        approval hierarchy in the Ariba software can result in costly unauthorized purchases and\n        can create vulnerability to fraud.\n\n\n\n\n                                                 7\n\x0c           Strategic Asset Management Program Controls Design Is Generally Sound, But\n                                  Improvements Can Be Made\n                                      Report No. 105-2010\n\n       \xef\x82\xb7    While manual detective controls have been designed, manual process controls have\n            not been designed for finance and materials management business areas. Also, both\n            manual detective and manual process controls have not been designed for the new\n            processes developed in procurement, engineering and mechanical business areas.\n\nControls Coverage to Address Operational Risks\n       \xef\x82\xb7    Neither automated nor manual controls have been designed to cover operational\n            risks in any of the systems impacted by SAM. Such controls help to ensure the\n            efficiency and effectiveness of business operations. For example, controls were designed\n            to ensure that invoices are paid accurately; however, no control was designed to ensure\n            that materials do not remain in quality inspection for extended periods delaying\n            maintenance activities. Designing controls to ensure management action on Key\n            Performance Indicators (KPIs) 14 listed in the BPDs to monitor operational efficiency\n            were not in the scope of the SAM Controls team. Such controls are key tools in helping to\n            control and reduce operating costs.\n\nControls Coverage of Current Capability in Existing Systems\n       \xef\x82\xb7    Current business processes in the existing systems were not reviewed to ensure that\n            adequate automated and manual controls are in place to maintain data integrity\n            and reliability across SAM impacted business areas. Existing systems may already\n            have the desired controls in place; however, no review has been made to determine the\n            extent to which controls have been documented.\n\nTable 2 below shows the areas not covered by the SAM internal controls design process.\n\n\n\n\n14\n     For example, On Time Delivery/Cycle Time is a ratio of the number of deliveries that arrived on or before the\n     delivery date compared to the number of deliveries for a given period.\n\n\n\n\n                                                            8\n\x0c        Strategic Asset Management Program Controls Design Is Generally Sound, But\n                               Improvements Can Be Made\n                                   Report No. 105-2010\n\n           Table 2 \xe2\x80\x93 Analysis of the extent to which controls have been designed or reviewed\n\n                                                                         Existing Systems\n                                New Systems\n                                                           (i.e. Procurement, Mechanical, Engineering)\n          Controls           (Finance, Materials\n                                                             New capability               Current\n                                Management)\n                                                             added by SAM               capability+\n    Automated Controls (Configuration, Sensitive Access, Segregation of Duties)\n    Financial Risk               Designed                  Not Designed ++              Not Reviewed\n    Operational Risk          Not Designed                   Not Designed               Not Reviewed\n    Manual Controls (Detective and Process)\n                             Only Detective\n    Financial Risk                                           Not Designed               Not Reviewed\n                            Controls Designed\n    Operational Risk           Not Designed                  Not Designed               Not Reviewed\n+  The SAM Controls team was not tasked to review the controls. Existing systems may already have the desired\n   controls in place; however, controls may not be consistently documented.\n++ The SAM Controls team identified some risks. Business process owners were responsible for controls, but have\n   not designed them. Automated controls to address financial risks in Maximo are being developed.\nSource: OIG analysis of Amtrak data\n\nLast, we noted that although controls to avoid segregation of duties issue will be built in SAP,\nthere are no plans to ensure that users\xe2\x80\x99 combined access permissions in SAP, Ariba, Maximo,\nand other systems do not give them the ability to process inappropriate transactions. For\nexample, a user can potentially have access to receive non-inventory items in Ariba and enter an\ninvoice for payment in SAP.\n\n\n\n                                            CONCLUSION\n\nDesign of automated controls in SAP and PowerPlant to cover financial risk is generally sound.\nHowever, certain gaps in the design process leave Amtrak vulnerable to not fully realizing the\npotential benefits from SAM to provide for efficient and effective business operations. Further,\ncontrol failures could potentially leave Amtrak vulnerable to business operation deficiencies that\ncould adversely affect operating expenses and revenues. Opportunities exist to improve existing\ncontrols and expand the scope of control design efforts to other systems. These opportunities, if\neffectively implemented, should improve data reliability and integrity, and help reduce operating\ncosts.\n\n\n\n\n                                                       9\n\x0c          Strategic Asset Management Program Controls Design Is Generally Sound, But\n                                 Improvements Can Be Made\n                                     Report No. 105-2010\n\n                                      RECOMMENDATIONS\n\nThe OIG recommends that the SAM program sponsors take the following actions:\n\n1. Prior to the April 2011 SAM R1a implementation:\n\n       a) Address the control weaknesses to mitigate financial and operational risks identified in\n          this report related to the SAM R1a implementation (See Exhibit B).\n\n       b) Reevaluate the other 115 BPDs to determine and implement the automated controls to\n          address financial and operational risks similar to the issues we identified that need to be\n          addressed in SAP, PowerPlant, Maximo, Ariba, and Spear.\n\n2. After SAM R1a is implemented:\n\n       a) For new capability: Evaluate all 139 BPDs to determine and implement the manual\n          controls to address financial and operational risks in SAP, PowerPlant, Maximo, Ariba,\n          and Spear.\n\n       b) For current capability: Review automated and manual controls in i) key systems impacted\n          by SAM, i.e. SAP, Ariba, Spear, and Maximo and ii) other relevant existing systems such\n          as SupplyPro 15 and Labor Management System(LMS) 16 that interface with SAP. Identify\n          gaps; and develop and document the missing controls to ensure that critical financial and\n          operational risks are addressed.\n\n       c) Build a comprehensive Risk and Controls matrix to ensure segregation of duties between\n          multiple applications, such as SAP, Maximo, and Ariba.\n\n\n\n\n15\n     SupplyPro is an automated material vending machine system used for self-service by mechanics.\n16\n     Labor Management System (LMS) is used for scheduling and time management of train crew.\n\n\n\n\n                                                         10\n\x0c      Strategic Asset Management Program Controls Design Is Generally Sound, But\n                             Improvements Can Be Made\n                                 Report No. 105-2010\n\n      MANAGEMENT COMMENTS AND AUDIT RESPONSE\n\n\nIn commenting on a draft of this report, management agreed with all our recommendations and\nhas assigned responsibilities to appropriate individuals to take timely actions to address our\nrecommendations. While management has expressed some concern about resource constraints,\nthey are exploring various options to implement our recommendations. We are encouraged by\nmanagement\xe2\x80\x99s planned actions, and commitment to improve internal controls. If properly\nimplemented, the actions identified by management address our recommendations.\n\n\n\n\n                                              11\n\x0c         Strategic Asset Management Program Controls Design Is Generally Sound, But\n                                Improvements Can Be Made\n                                    Report No. 105-2010\n\n                                           EXHIBIT A\n                                      Scope and Methodology\n\nWe conducted this performance audit in accordance with the generally accepted government\nauditing standards (GAGAS). These standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives.\n\nWe started our fieldwork in May 2010 and completed our review in September 2010. We used\nthe following scope and methodology in conducting this audit.\n\nWe reviewed the internal controls design for manual and automated systems being developed in\nSAM R1a implementation segment. To evaluate the control design process used to develop\ncontrols for the business processes affected by SAM R1a implementation, we used the following\nmethodology:\n\nWe judgmentally selected 24 Business Process Definition (BPD) documents for detailed review.\nOur objective was to determine the adequacy of the control design for these BPDs. Specific\nreview steps included:\n\n\xef\x82\xb7     We reviewed the list of BPDs 17 that were developed for SAM R1a and judged their criticality\n      by the business processes addressed in the BPDs.\n\xef\x82\xb7     We requested SAM subject matter experts (SMEs) and business owners to suggest BPDs that\n      should be reviewed based on their criticality to business operations and financial impact.\n\xef\x82\xb7     Using the above information and our professional judgment, we selected a sample of 24\n      critical business processes out of 139 (as of November 8, 2010) for detailed review.\n\nSAM R1a implementation is primarily impacting finance and materials management processes;\nand as a result, our review focused on the processes in these business areas. We reviewed\nprocurement, mechanical, and engineering process BPDs for risks introduced due to the changes\nbrought about by SAM. The BPDs we reviewed are listed below, and the weaknesses we\nidentified are presented in Exhibit B.\n\n\n17\n     Most of the BPDs we reviewed were completed and well documented; however, some were still in draft form\n    even though the project had moved from the design to build phase.\n\n\n\n\n                                                        12\n\x0c       Strategic Asset Management Program Controls Design Is Generally Sound, But\n                              Improvements Can Be Made\n                                  Report No. 105-2010\n\nFinance                                                Materials Management\n\n1.   Maintain Asset Adjust, Transfer, Add, Edit         6.   Repair and Return\n2.   Create and Maintain Vendor Master                  7.   Physical Inventory and Cycle Count\n3.   Mange Returned Payments                            8.   Manage Material Requisition\n4.   Process Journal Entry                              9.   Goods Receipt\n5.   Manage Blocked Invoices                           10.   Picking and Issue\n                                                       11.   Manage Replenishment/Forecast\n                                                             Demand\n\n\nProcurement                                            Mechanical\n\n12. Planning for Sourcing                              20. Distribute and Apply Materials\n13. Create Purchase Order                              21. Record Resource Consumption\n14. Create Contract\n15. Contract Administration\n16. Goods Receipt of Non-Inventory\n17. Purchase Requisition Processing\n18. P-Card Payment Request\n19. Automatic Generation of Purchase Orders\n\n\nEngineering\n\n22. Work Order Completion\n23. Time Compliance\n24. Work Actuals\n\n\nWe evaluated the overall scope of the internal controls design work by:\n\n\xef\x82\xb7    interviewing business process owners, SAM SMEs, and the SAM Controls team.\n\xef\x82\xb7    comparing the scope of control work performed by the SAM Controls team with the business\n     areas impacted by SAM.\n\nWe reviewed prior OIG audit reports to verify whether audit recommendations and\nmanagement\xe2\x80\x99s commitments to implement audit recommendations are being addressed, to the\nextent possible, during SAM R1a implementation. We reviewed the following applicable audit\nreports issued by the OIG:\n\n\n\n\n                                                  13\n\x0c      Strategic Asset Management Program Controls Design Is Generally Sound, But\n                             Improvements Can Be Made\n                                 Report No. 105-2010\n\n\xef\x82\xb7   Improvements Needed in Vendor Repair and Return Process, Audit Report No. 104-2008,\n    03/23/2010\n\xef\x82\xb7   Annual Maintenance of Way Inventory, Audit Report No. 217-2008, 12/23/2008\n\xef\x82\xb7   Procurement Card Review, Audit Report No. 206-2008, 09/30/2008\n\xef\x82\xb7   eTrax Application Review, Audit Report No. 104-2004, 02/23/2006\n\nLast, we interviewed the SAM Technical team, SAM Controls team, and SAM Program\nManagement team to identify plans to build controls to avoid segregation of duties between\nmultiple applications.\n\n\nUse of Computer-processed Data\nWe did not use computer-processed data for the review of SAM R1a internal controls design.\n\n\nInternal Controls\nThe objective of this audit was to review SAM program\xe2\x80\x99s internal controls design to determine\nwhether it adequately identified and mitigated internal control risks.\n\n\n\n\nPPENDIX - MANAGEMENT\xe2\x80\x99S RESPONSE\n\n\n\n\n                                              14\n\x0c                  Strategic Asset Management Program Controls Design Is Generally Sound, But Improvements Can Be Made\n                                                         Report No. 105-2010\n\n                                                                 EXHIBIT B\n                                        OIG Analysis of SAM R1A Control Weaknesses and Recommendations\n    Business\n#   Area       Business Process       Control Weakness / Recommendation / Potential Adverse Effect                                                   Risk Level   Control Type     Impact\n1   Finance    Perform GL             Control weakness:                                                                                                 High      Configuration   Financial\n               Accounting             Journal Entry Attestation forms and corresponding supporting documents are\n                                      processed manually, approved via emails, and stored outside SAP. This process\n                                      provides less reliability and accountability to the posted Journal Entries and spotty\n                                      audit trail.\n\n                                      Recommendation:\n                                      After SAM R1a Implementation\n                                      - Develop journal entry form and approval workflow for electronic approval of journal\n                                      entries in Ariba. Maintain supporting documentation for all journal entries in Ariba\n                                      and develop interface between Ariba and SAP to automatically post approved journal\n                                      entries in SAP; or\n                                      - Develop approval workflow in SAP and use SAP for creation, approval and\n                                      documentation of journal entries.\n\n                                      Potential adverse effect:\n                                      Unauthorized journal entries are posted. Also, manual journal entries increase the risk\n                                      of error and rework.\n\n2   Materials  Manage Warehouse       Control weakness:                                                                                                  High       Detective     Financial\n    Management                        No control documented to periodically review the Physical Inventory list to identify\n                                      locations where inventory counting has not been performed.\n\n                                      Recommendation:\n                                      Document the control, and identify the frequency of the review and the user role\n                                      responsible for performing the review.\n\n                                      Potential adverse effect:\n                                      When the physical inventory is not counted on a cyclical basis, the value of physical\n                                      inventory held by the business may be misstated if there is a difference between the\n                                      book inventory and the physical inventory. Inaccurate records also leave the inventory\n                                      vulnerable to undetected loss or theft.\n\n\n\n\n                              Source: The analysis is based on the OIG\'s review of 24 BPDs and discussion with SAM Controls team, SAM SMEs, and business owners\n\n\n                                                                                            15\n\x0c                    Strategic Asset Management Program Controls Design Is Generally Sound, But Improvements Can Be Made\n                                                           Report No. 105-2010\n\n                                                                    EXHIBIT B\n                                           OIG Analysis of SAM R1A Control Weaknesses and Recommendations\n    Business\n#   Area          Business Process       Control Weakness / Recommendation / Potential Adverse Effect                                                   Risk Level   Control Type    Impact\n3   Procurement   Manage Award           Control weakness:                                                                                                  High     Configuration   Financial\n                                         No control activity documented to ensure that the approval hierarchy is configured in\n                                         compliance with Amtrak\'s "Purchase, Expenditure, and Control Approval\n                                         Authorizations policy 11.39.0" for procurement contracts and purchase orders.\n\n                                         Recommendation:\n                                         Document and test the control.\n\n                                         Potential adverse effect:\n                                         Inappropriate approval levels can result in unauthorized purchases violating Amtrak\'s\n                                         policy.\n\n4   Procurement   Manage Award           Control weakness:                                                                                                  High     Configuration   Financial\n                                         No control activity documented to ensure that Purchase Orders (PO) go through the re-\n                                         approval process whenever approved POs are modified due to (a) change in\n                                         commodity or (b) increase in PO amount above the PO modifier\'s authority limit.\n\n                                         Recommendation:\n                                         Document and test the control.\n\n                                         Potential adverse effect:\n                                         Inappropriate approval levels can result in unauthorized purchases violating Amtrak\'s\n                                         policy.\n\n\n\n\n                                 Source: The analysis is based on the OIG\'s review of 24 BPDs and discussion with SAM Controls team, SAM SMEs, and business owners\n\n\n                                                                                               16\n\x0c                    Strategic Asset Management Program Controls Design Is Generally Sound, But Improvements Can Be Made\n                                                           Report No. 105-2010\n\n                                                                    EXHIBIT B\n                                           OIG Analysis of SAM R1A Control Weaknesses and Recommendations\n    Business\n#   Area          Business Process       Control Weakness / Recommendation / Potential Adverse Effect                                                   Risk Level    Control Type      Impact\n5   Procurement   Manage Award           Control weakness:                                                                                                  High     Sensitive Access   Financial\n                                         While the SAM program is building user security to restrict access, control to ensure\n                                         that the access to create and maintain Purchase Orders in Ariba is restricted to\n                                         authorized personnel is not documented.\n\n                                         Recommendation:\n                                         Implement, document and test the control.\n\n                                         Potential adverse effect:\n                                         Amtrak can buy unnecessary or inappropriate materials and services if purchase orders\n                                         are entered or modified by unauthorized personnel.\n\n6   Finance       Manage Master Data     Control weakness:                                                                                                Medium      Configuration     Financial\n                                         Control to identify duplicate vendors using fields Vendor Name and City is weak\n                                         because these two fields will not detect unique cases of duplicate vendors.\n\n                                         Recommendation:\n                                         Change the search criteria to include fields such as Social Security Number (SSN), Tax\n                                         ID number, and Bank numbers (bank routing and account number) to detect duplicate\n                                         vendors.\n\n                                         Potential adverse effect:\n                                         Duplicate vendors may potentially result in duplicate payment of invoices.\n\n\n\n\n                                 Source: The analysis is based on the OIG\'s review of 24 BPDs and discussion with SAM Controls team, SAM SMEs, and business owners\n\n\n                                                                                               17\n\x0c                 Strategic Asset Management Program Controls Design Is Generally Sound, But Improvements Can Be Made\n                                                        Report No. 105-2010\n\n                                                                 EXHIBIT B\n                                        OIG Analysis of SAM R1A Control Weaknesses and Recommendations\n    Business\n#   Area       Business Process       Control Weakness / Recommendation / Potential Adverse Effect                                                   Risk Level   Control Type     Impact\n7   Finance    Manage Master Data     Control weakness:                                                                                                Medium       Detective      Financial\n                                      Control to review all changes to vendor master accounts needs to be strengthened. The\n                                      review of vendor master accounts does not include detecting vendors with the PO Box\n                                      number listed as their only address to determine if the vendors are not fictitious.\n\n                                      Recommendation:\n                                      Strengthen the existing control, and identify the frequency of the review and the user\n                                      role responsible for performing the review.\n\n                                      Potential adverse effect:\n                                      Amtrak can potentially make payment to fictitious vendors.\n8   Finance    Manage AP              Control weakness:                                                                                                Medium     Configuration   Operational\n                                      Vendor Invoice Management (VIM) tool will scan the vendor invoices and detect\n                                      invoice exceptions such as invalid data, duplicate invoices, vendor name issues, and\n                                      Purchase Order issues. If exceptions are found, invoices will be blocked for payment\n                                      until the users responsible for resolving the block reason take appropriate actions to\n                                      unblock the invoices. We did not find a control to ensure that blocked invoices\n                                      approaching payment due dates are proactively reviewed by the users to prevent\n                                      penalties for late payment.\n\n                                      Recommendation:\n                                      Implement, document and test the control to ensure that VIM sends automatic\n                                      reminders to the users responsible for resolving issues with blocked invoices, at\n                                      defined intervals before the invoice due date.\n\n                                      Potential adverse effect:\n                                      Late payment of invoices will result in penalties.\n\n\n\n\n                              Source: The analysis is based on the OIG\'s review of 24 BPDs and discussion with SAM Controls team, SAM SMEs, and business owners\n\n\n                                                                                            18\n\x0c                 Strategic Asset Management Program Controls Design Is Generally Sound, But Improvements Can Be Made\n                                                        Report No. 105-2010\n\n                                                                 EXHIBIT B\n                                        OIG Analysis of SAM R1A Control Weaknesses and Recommendations\n    Business\n#   Area       Business Process       Control Weakness / Recommendation / Potential Adverse Effect                                                   Risk Level   Control Type    Impact\n9   Finance    Manage AP              Control weakness:                                                                                                Medium     Configuration   Financial\n                                      Control to check for duplicate vendor invoices in SAP is too restrictive and may not\n                                      identify all cases of duplicate invoices. The control will identify duplicate invoices\n                                      only if all six fields - namely Vendor, Invoice Amount, Currency Code, Company\n                                      Code, Invoice Reference Number and Invoice Date - match.\n\n                                      Recommendation:\n                                      Since VIM will provide three duplicate invoice checks with combination of different\n                                      fields including Invoice Reference Number and Invoice Date, we recommend that the\n                                      existing control to identify potential duplicate invoices in SAP be strengthened by\n                                      setting the check only on Vendor, Invoice Amount, and Currency Code fields.\n\n                                      Potential adverse effect:\n                                      Duplicate invoices may not be detected.\n\n10 Finance     Manage AP              Control weakness:                                                                                                Medium     Configuration   Financial\n                                      Control to ensure that the critical details on vendor invoices are entered in SAP needs\n                                      strengthening. Currently documented control does not require Invoice Reference\n                                      Number from vendor invoices to be present and entered in SAP.\n\n                                      Recommendation:\n                                      Strengthen the existing control to include Invoice Reference Number as required field\n                                      during data entry of the vendor invoices in SAP.\n\n                                      Potential adverse effect:\n                                      VIM duplicate invoice check functionality uses Invoice Reference Number along with\n                                      other fields to search for duplicate invoices. If Invoice Reference Number field has no\n                                      value, VIM will not effectively detect all potential duplicate invoices.\n\n\n\n\n                              Source: The analysis is based on the OIG\'s review of 24 BPDs and discussion with SAM Controls team, SAM SMEs, and business owners\n\n\n                                                                                            19\n\x0c                 Strategic Asset Management Program Controls Design Is Generally Sound, But Improvements Can Be Made\n                                                        Report No. 105-2010\n\n                                                                 EXHIBIT B\n                                        OIG Analysis of SAM R1A Control Weaknesses and Recommendations\n    Business\n#   Area       Business Process       Control Weakness / Recommendation / Potential Adverse Effect                                                   Risk Level   Control Type     Impact\n11 Finance     Manage AP              Control weakness:                                                                                                Medium     Configuration    Financial\n                                      Per interviews with the SAM team, invoices for Service POs over $10,000 will be\n                                      blocked for payment until the service receiver approves the invoice; however, this\n                                      control is not clearly and consistently documented in the Finance and Procurement\n                                      BPDs, and is not documented in the Risk and Controls Index.\n\n                                      Recommendation:\n                                      Update all relevant Finance and Procurement BPDs, document the control in the Risk\n                                      and Controls Index, and test the control.\n\n                                      Potential adverse effect:\n                                      Desired controls may not be implemented or implemented incorrectly if business\n                                      process design documents are not written clearly and consistently.\n\n12 Materials  Manage Order            Control weakness:                                                                                                Medium       Detective     Operational\n   Management                         No control documented to periodically review the Core Tracking Report to monitor the\n                                      return of damaged parts sent to Operations for repair.\n\n                                      Recommendation:\n                                      Document the control, and identify the frequency of the review and the user role\n                                      responsible for performing the review.\n\n                                      Potential adverse effect:\n                                      Inadequate monitoring of damaged parts sent to Operations for repair can cause\n                                      Material Management to loose track of the parts and misstate the inventory balance.\n\n\n\n\n                              Source: The analysis is based on the OIG\'s review of 24 BPDs and discussion with SAM Controls team, SAM SMEs, and business owners\n\n\n                                                                                            20\n\x0c                 Strategic Asset Management Program Controls Design Is Generally Sound, But Improvements Can Be Made\n                                                        Report No. 105-2010\n\n                                                                 EXHIBIT B\n                                        OIG Analysis of SAM R1A Control Weaknesses and Recommendations\n    Business\n#   Area       Business Process       Control Weakness / Recommendation / Potential Adverse Effect                                                   Risk Level   Control Type     Impact\n13 Materials  Manage Order            Control weakness:                                                                                                Medium       Detective     Operational\n   Management                         No control documented to periodically review the Repair and Return Pool Stock\n                                      Report to determine if sufficient quantities of materials are available for use.\n\n                                      Recommendation:\n                                      Document the control, and identify the frequency of the review and the user role\n                                      responsible for performing the review.\n\n                                      Potential adverse effect:\n                                      Inadequate monitoring of available materials can potentially result in excess inventory\n                                      levels or shortage of inventory causing delay in critical repairs thereby putting\n                                      equipments out-of-service.\n\n14 Materials  Manage Order            Control weakness:                                                                                                Medium     Configuration    Financial\n   Management                         While the SAM program is configuring the system to achieve desired functionality, the\n                                      control to appropriately configure repair and return movement types is not\n                                      documented.\n\n                                      Recommendation:\n                                      Document and test the control to ensure that movement types are appropriately\n                                      configured to post inventory value to appropriate General Ledger account.\n\n                                      Potential adverse effect:\n                                      Inventory is not recorded or is recorded incorrectly, thereby misstating inventory value\n                                      in the General Ledger.\n\n\n\n\n                              Source: The analysis is based on the OIG\'s review of 24 BPDs and discussion with SAM Controls team, SAM SMEs, and business owners\n\n\n                                                                                            21\n\x0c                 Strategic Asset Management Program Controls Design Is Generally Sound, But Improvements Can Be Made\n                                                        Report No. 105-2010\n\n                                                                 EXHIBIT B\n                                        OIG Analysis of SAM R1A Control Weaknesses and Recommendations\n    Business\n#   Area       Business Process       Control Weakness / Recommendation / Potential Adverse Effect                                                   Risk Level   Control Type    Impact\n15 Materials   Manage Warehouse       Control weakness:                                                                                                Medium       Process       Financial\n   Management/                        No control to ensure that reconciliation between physical and book inventory is\n   Operations                         completed within a defined time period, and the exceptions are supported by\n                                      appropriate rationale.\n\n                                      Recommendation:\n                                      Implement and document the control, and identify the user role responsible for\n                                      performing the review. Prior audit report # 217-2008 "Annual Maintenance of Way\n                                      Inventory" issued by the OIG recommended that reconciliation between physical and\n                                      book inventory be completed within 14 calendar days.\n\n                                      Potential adverse effect:\n                                      Keeping the reconciliation window open for an extended period of time may result in\n                                      inappropriate modification of recorded counts of physical inventory and incorrect\n                                      inventory valuation, and increases the risk of undetected inventory loss or theft.\n\n16 Materials   Manage Warehouse       Control weakness:                                                                                                Medium       Process      Operational\n   Management/                        No control to ensure materials received from vendors do not remain in quality\n   Operations                         inspection status for extended period of time.\n\n                                      Recommendation:\n                                      Implement and document the control to periodically review the materials in quality\n                                      inspection status. Identify the frequency of the review and the user role responsible for\n                                      performing the review.\n\n                                      Potential adverse effect:\n                                      Materials requiring quality assurance, if remained in quality inspection status for\n                                      extended periods of time, can delay the maintenance work due to unavailability of\n                                      inventory.\n\n\n\n\n                              Source: The analysis is based on the OIG\'s review of 24 BPDs and discussion with SAM Controls team, SAM SMEs, and business owners\n\n\n                                                                                            22\n\x0c                   Strategic Asset Management Program Controls Design Is Generally Sound, But Improvements Can Be Made\n                                                          Report No. 105-2010\n\n                                                                   EXHIBIT B\n                                          OIG Analysis of SAM R1A Control Weaknesses and Recommendations\n    Business\n#   Area         Business Process       Control Weakness / Recommendation / Potential Adverse Effect                                                   Risk Level   Control Type    Impact\n17 Procurement   Manage Award           Control weakness:                                                                                                Medium       Process      Operational\n                                        No control documented to periodically review the Purchase Orders that are open\n                                        beyond the promised delivery date to help expedite the delivery of materials for\n                                        business needs.\n\n                                        Recommendation:\n                                        Document the control, and identify the frequency of the review and the user role\n                                        responsible for performing the review.\n\n                                        Potential adverse effect:\n                                        Materials not available on timely basis can significantly disrupt business operations.\n\n18 Mechanical    Execute and Record     Control weakness:                                                                                                Medium       Detective    Operational\n                 Technical and          The work order status is changed to \'Closed\' in Spear after Mechanical project or\n                 Resource Data          repair work is completed and reviewed by the supervisor. Control is not defined to\n                                        periodically review open purchase requisitions related to \'Closed\' work orders in Spear\n                                        to determine if they need to be kept open for other work orders or be deleted.\n\n                                        Recommendation:\n                                        Implement and document the control. Identify the frequency of the review and the user\n                                        role responsible for performing the review.\n\n                                        Potential adverse effect:\n                                        Amtrak may make unnecessary purchases on closed work orders if requisitions are not\n                                        deleted on timely basis.\n\n\n\n\n                                Source: The analysis is based on the OIG\'s review of 24 BPDs and discussion with SAM Controls team, SAM SMEs, and business owners\n\n\n                                                                                              23\n\x0c                  Strategic Asset Management Program Controls Design Is Generally Sound, But Improvements Can Be Made\n                                                         Report No. 105-2010\n\n                                                                  EXHIBIT B\n                                         OIG Analysis of SAM R1A Control Weaknesses and Recommendations\n    Business\n#   Area        Business Process       Control Weakness / Recommendation / Potential Adverse Effect                                                   Risk Level   Control Type     Impact\n19 Mechanical   Execute and Record     Control weakness:                                                                                                Medium     Configuration   Operational\n                Technical and          Open work orders that are no longer needed and have no transaction activity associated\n                Resource Data          with them are \'Cancelled\' in Spear. Control is not defined to delete purchase\n                                       requisitions related to \'Cancelled\' work orders in Spear.\n\n                                       Recommendation:\n                                       Implement, document and test the control to automatically delete purchase requisitions\n                                       related to \'Cancelled\' work orders in Spear.\n\n                                       Potential adverse effect:\n                                       Amtrak may make unnecessary purchases on cancelled work orders if requisitions are\n                                       not deleted on timely basis.\n\n20 Mechanical   Execute and Record     Control weakness:                                                                                                Medium       Process       Operational\n                Technical and          Control is not defined to ensure that alternate source of supply is identified before\n                Resource Data          working part from one equipment is removed to repair another equipment.\n\n                                       Recommendation:\n                                       Implement and document the control.\n\n                                       Potential adverse effect:\n                                       Removing parts is a more costly process than using inventory stock and increases\n                                       maintenance personnel costs. It can result in breakage during the removal process, and\n                                       cause delays in bringing the originally working equipment back in service.\n\n\n\n\n                               Source: The analysis is based on the OIG\'s review of 24 BPDs and discussion with SAM Controls team, SAM SMEs, and business owners\n\n\n                                                                                             24\n\x0c                    Strategic Asset Management Program Controls Design Is Generally Sound, But Improvements Can Be Made\n                                                           Report No. 105-2010\n\n                                                                    EXHIBIT B\n                                           OIG Analysis of SAM R1A Control Weaknesses and Recommendations\n    Business\n#   Area         Business Process        Control Weakness / Recommendation / Potential Adverse Effect                                                   Risk Level   Control Type     Impact\n21 Mechanical    Execute and Record      Control weakness:                                                                                                Medium     Configuration   Operational\n                 Technical and           Control is not defined to create corrective work orders in Spear for the missing\n                 Resource Data           components that were taken out from the original equipment (cannibalized equipment)\n                                         to repair another equipment.\n\n                                         Recommendation:\n                                         Implement, document and test the control to automatically create corrective work\n                                         orders in Spear.\n\n                                         Potential adverse effect:\n                                         Working parts removed from one equipment to repair another equipment may result in\n                                         costly procurements, increased maintenance personnel costs, breakage during removal\n                                         process, and delays in bringing the originally working equipment back in service.\n\n22 Engineering   Feedback and Follow- Control weakness:                                                                                                   Medium       Detective     Operational\n                 up                   The work order status is changed to \'Complete\' (COMP) in Maximo after Engineering\n                                      project or repair work is completed and reviewed by the supervisor. Work order status\n                                      changes from \'WCOMP\' to \'COMP\' only after the work is completed and all pending\n                                      transactions such as material and labor are entered in Maximo. Once work order is\n                                      completed, all open material reservations on that work order are automatically\n                                      canceled. However, no control exists to ensure that work orders in \'WCOMP\' status\n                                      are periodically reviewed and appropriate actions taken to move them to \'COMP\' status\n                                      in a reasonable time period.\n\n                                         Recommendation:\n                                         Identify the time period by which work orders in \'WCOMP\' status should be moved to\n                                         \'COMP\' status. Implement and document the control. Identify the frequency of the\n                                         review and the user role responsible for performing the review.\n\n                                         Potential adverse effect:\n                                         Open, completed work orders reserve unused inventory that can be used on other work\n                                         orders. This may cause Amtrak to procure unnecessary materials.\n\n\n\n\n                                 Source: The analysis is based on the OIG\'s review of 24 BPDs and discussion with SAM Controls team, SAM SMEs, and business owners\n\n\n                                                                                               25\n\x0c                    Strategic Asset Management Program Controls Design Is Generally Sound, But Improvements Can Be Made\n                                                           Report No. 105-2010\n\n                                                                        EXHIBIT B\n                                               OIG Analysis of SAM R1A Control Weaknesses and Recommendations\n    Business\n#   Area          Business Process           Control Weakness / Recommendation / Potential Adverse Effect                                                   Risk Level   Control Type   Impact\n\n\n    Risk Level:   High | Medium              Risk levels are determined based on the combined factor of likelihood and impact of control failure.\n\n    Type:         Configuration              Controls to ensure that the application is set up appropriately to achieve the required functionality.\n                  Sensitive Access           Controls to ensure that sensitive business transactions are accessed only by authorized individuals.\n                  Detective                  Controls designed to detect errors and irregularities that could not be prevented, but can be rectified.\n                  Process                    Controls to ensure that manual business processes are designed correctly to provide desired outputs.\n\n    Impact:       Financial                  Adverse effect of control not in place will impact accuracy and completeness of financial statements.\n                  Operational                Adverse effect of control not in place will impact efficiency and effectiveness of business processes.\n\n\n\n\n                                     Source: The analysis is based on the OIG\'s review of 24 BPDs and discussion with SAM Controls team, SAM SMEs, and business owners\n\n\n                                                                                                   26\n\x0c    Strategic Asset Management Program Controls Design Is Generally Sound, But\n                           Improvements Can Be Made\n                               Report No. 105-2010\n\n                                 EXHIBIT C\n                                  Acronyms\n                                        ms\n\nAcronym\n\nBPD                     Business Process Definition\nDOT                     Department of Transportation\nERP                     Enterprise Resource Planning\nFIS                     Financial Information System\nKPI                     Key Performance Indicator\nLMS                     Labor Management System\nOIG                     Amtrak Office of Inspector General\nPRIIA                   Passenger Rail Investment and Improvement Act\nR1a                     Release 1a\nSAM                     Strategic Asset Management\nSAP                     Systems Applications and Products\nSME                     Subject Matter Expert\n\n\n\n\n                                        27\n\x0c      Strategic Asset Management Program Controls Design Is Generally Sound, But\n                             Improvements Can Be Made\n                                 Report No. 105-2010\n\n                                    EXHIBIT D\n                                Audit Team Members\n\nThis report was prepared and the review was conducted under the direction of Vipul Doshi,\nSenior Director, IT Audits.\n\nThe staff members who conducted the audit and contributed to the report include:\n\n\nVijay Chheda, IT Audit Manager\nAsha Sriramulu, Senior IT Audit Specialist\nMike Baker, Senior IT Audit Specialist\n\n\n\n\n                                              28\n\x0c Strategic Asset Management Program Controls Design Is Generally Sound, But\n                        Improvements Can Be Made\n                            Report No. 105-2010\n\n                               EXHIBIT E\n                           Management Response\n\n\nMemo\n Date   January 3, 2011                         From     DJ Stadtler, Chief Financial Officer\n\n  To    David Warren, Assistant            Department    Finance\n        Inspector General, Audit\n                                               Subject   Strategic Asset Management\n                                                         Program Controls Design is\n                                                         Generally Sound, But\n                                                         Improvements Can Be Made\n                                                         Report 105-2010\n\n                                                   cc    Jeff Martin, Chief Logistics Officer\n                                                         Frank Vacca, Chief Engineer\n                                                         Mario Bergeron, CMO\n                                                         Kay Duggan, GIO-ERP\n                                                         Don Ford, Senior ERP Director\n                                                         Jessica Scritchfield, Principal Audit\n                                                         / Controls Officer\n\n\n        This letter is in response to the Office of Inspector General (\xe2\x80\x9cOIG\xe2\x80\x9d) audit 105-\n        2010 \xe2\x80\x9cStrategic Asset Management Program Controls Design Is Generally\n        Sound, But Improvements Can Be Made\xe2\x80\x9d, dated December 2, 2010.\n\n        Management agrees with the recommendations within this report and believes\n        this report provides useful information on which Amtrak management can take\n        action. Management has detailed a response to each of the OIG\xe2\x80\x99s\n        recommendations below.\n\n\n        Recommendation 1a:\n\n        Prior to the April 2011 SAM R1a implementation, address the control\n        weaknesses to mitigate financial and operational risk identified in the report\n        related to the SAM R1a implementation (detailed in Exhibit B).\n\n\n                                          29\n\x0cStrategic Asset Management Program Controls Design Is Generally Sound, But\n                       Improvements Can Be Made\n                           Report No. 105-2010\n\n\n     Management Response:\n\n     Management agrees with the OIG\xe2\x80\x99s observation and recommendation. The\n     Finance, Procurement, Materials Management, Mechanical, and Engineering\n     departments will take action to reevaluate and update the business process\n     documents to include controls that will mitigate financial and operational risks\n     identified in the OIG report. Specifically, the individuals responsible and the\n     date by which the documents will be updated are detailed below:\n\n        \xef\x82\xb7   Gordon Hutchinson, Controller, will be responsible for Finance business\n            process documents by February 25, 2011.\n\n        \xef\x82\xb7   Bud Reynolds, Deputy Logistics Officer \xe2\x80\x93 Procurement, will be\n            responsible for Procurement business process documents by February 25,\n            2011.\n\n        \xef\x82\xb7   Bob Nanney, Deputy \xe2\x80\x93 Materials Management, will be responsible for\n            Materials Management business process documents by February 25,\n            2011.\n\n        \xef\x82\xb7   Tim Ziethen, Senior Subject Matter Expert \xe2\x80\x93 Mechanical, will be\n            responsible for Mechanical process documents by March 25, 2011.\n\n     The control weakness identified relating to the Engineering department has been\n     remediated. Management forwarded an updated business process document\n     reflecting this to the OIG on December 21, 2010.\n\n\n     Recommendation 1b:\n\n     Prior to the April 2011 SAM R1a implementation, reevaluate the other 115\n     business process documents to determine and implement the automated controls\n     to address financial and operational risks similar to the issues we identified that\n     need to be addressed in SAP, PowerPlant, Maximo, Ariba, and Spear.\n\n     Management Response:\n\n     Management agrees with the OIG\xe2\x80\x99s observation and recommendation.\n     Management will reevaluate the other 115 business process documents for\n     automated controls that address the financial and operational risks similar to the\n     issues identified in Finding 1a that need to be addressed in SAP, PowerPlant,\n     Maximo, Ariba, and Spear. Specifically, the individuals responsible and the date\n\n\n\n                                        30\n\x0cStrategic Asset Management Program Controls Design Is Generally Sound, But\n                       Improvements Can Be Made\n                           Report No. 105-2010\n\n     by which the documents will be updated are detailed below:\n\n        \xef\x82\xb7   Gordon Hutchinson, Controller, will be responsible for the Finance\n            business process documents and identification and documentation of\n            controls relating to PowerPlant by March 25, 2011.\n\n        \xef\x82\xb7   Bud Reynolds, Deputy Logistics Officer \xe2\x80\x93 Procurement, and John\n            Venturella, Procurement IT Business Lead, will be responsible for the\n            Procurement business process documents and identification and\n            documentation of controls relating to Ariba by March 25, 2011.\n\n        \xef\x82\xb7   Bob Nanney, Deputy \xe2\x80\x93 Materials Management, and Frank Hopkins,\n            Materials Management IT Lead, will be responsible for the Materials\n            Management business process documents by March 25, 2011.\n\n        \xef\x82\xb7   Tim Ziethen, Senior Subject Matter Expert \xe2\x80\x93 Mechanical, will be\n            responsible for the Mechanical business process documents and\n            identification and documentation of controls relating to Spear by March\n            25, 2011.\n\n        \xef\x82\xb7   Ed Simons, Senior Director \xe2\x80\x93 Budgeting and Planning, Willem Ebers\xc3\xb6hn,\n            Business Area Lead SAM, and Bill Broughton, Senior Program Director\n            Engineering Systems, will be responsible for Engineering business\n            process documents and identification and documentation of controls\n            relating to Maximo by March 25, 2011.\n\n     Executive Committee members, in coordination with Finance\xe2\x80\x99s Internal Controls\n     / Audit organization, will provide oversight to ensure project deadlines are met.\n     Management does have some concerns about resource constraints, and is\n     exploring various options, both internal and external, that may be leveraged to\n     perform these evaluations and recommendations.\n\n\n     Recommendation 2a:\n\n     After SAM R1a is implemented, for new capability, evaluate all 139 business\n     process documents to determine and implement the manual controls to address\n     financial and operational risks in SAP, PowerPlant, Maximo, Ariba, and Spear.\n\n     Management Response:\n\n     Management agrees with the OIG\xe2\x80\x99s observation and recommendation.\n     Management will reevaluate all 139 business process documents for all manual\n\n\n\n                                       31\n\x0cStrategic Asset Management Program Controls Design Is Generally Sound, But\n                       Improvements Can Be Made\n                           Report No. 105-2010\n\n     controls that address the financial and operational risks in SAP, PowerPlant,\n     Maximo, Ariba, and Spear. Specifically, the individuals responsible and the date\n     by which the documents will be updated are detailed below:\n\n        \xef\x82\xb7   Gordon Hutchinson, Controller, will be responsible for the Finance\n            business process documents and identification and documentation of\n            controls relating to PowerPlant by September 23, 2011.\n\n        \xef\x82\xb7   Bud Reynolds, Deputy Logistics Officer \xe2\x80\x93 Procurement, and John\n            Venturella, Procurement IT Business Lead, will be responsible for the\n            Procurement business process documents and identification and\n            documentation of controls relating to Ariba by September 23, 2011.\n\n        \xef\x82\xb7   Bob Nanney, Deputy \xe2\x80\x93 Materials Management, and Frank Hopkins,\n            Materials Management IT Lead, will be responsible for the Materials\n            Management business process documents by September 23, 2011.\n\n        \xef\x82\xb7   Tim Ziethen, Senior Subject Matter Expert \xe2\x80\x93 Mechanical, will be\n            responsible for the Mechanical business process documents and\n            identification and documentation of controls relating to Spear by\n            September 23, 2011.\n\n        \xef\x82\xb7   Ed Simons, Senior Director \xe2\x80\x93 Budgeting and Planning, Willem Ebers\xc3\xb6hn,\n            Business Area Lead SAM, and Bill Broughton, Senior Program Director\n            Engineering Systems, will be responsible for Engineering business\n            process documents and identification and documentation of controls\n            relating to Maximo by September 23, 2011.\n\n     Executive Committee members, with coordination from Finance\xe2\x80\x99s Internal\n     Controls / Audit organization, will provide oversight to ensure project deadlines\n     are met. As with recommendation 1b, management does have some concerns\n     about resource constraints, and is exploring various options, both internal and\n     external, that may be leveraged to perform these reviews and make\n     recommendations.\n\n\n     Recommendation 2b:\n\n     After SAM R1a is implemented, for current capability, review automated and\n     manual controls in i) key systems impacted by SAM; i.e. SAP, Ariba, Spear and\n     Maximo and ii) other relevant existing systems such as SupplyPro and Labor\n     Management System (LMS) that interface with SAP. Identify gaps and develop\n     and document the missing controls to ensure that critical financial and\n\n\n\n                                       32\n\x0cStrategic Asset Management Program Controls Design Is Generally Sound, But\n                       Improvements Can Be Made\n                           Report No. 105-2010\n\n     operational risks are addressed.\n\n     Management Response:\n\n     Management agrees with the OIG\xe2\x80\x99s observation and recommendation.\n     Management will review the automated and manual controls in Ariba, Spear,\n     Maximo, SupplyPro, and Labor Management System (LMS) that interface with\n     SAP by September 23, 2011. Management will identify the gaps and develop\n     and document missing controls to ensure critical financial and operational risks\n     are addressed. Business process owners and the IT department will be\n     responsible for determining that controls are in place for the systems that are\n     impacted by the SAM program, with coordination by Finance\xe2\x80\x99s Internal Controls\n     / Audit organization.\n\n\n     Recommendation 2c:\n\n     Build a comprehensive Risk and Control matrix to ensure segregation of duties\n     between multiple applications, such as SAP, Maximo, and Ariba.\n\n     Management Response:\n\n     Management agrees with the OIG\xe2\x80\x99s observation and recommendation.\n     Management is currently evaluating the alternatives available to ensure\n     segregation of duties exist between multiple applications. DJ Stadtler, Chief\n     Financial Officer, in collaboration with the Information Technology department\n     will determine which systems should be in scope, review the alternatives, make a\n     recommendation to resolve the risks, evaluate available funding sources, and\n     commit to an implementation timeline by January 31, 2011.\n\n\n\n\n                                        33\n\x0c    Strategic Asset Management Program Controls Design Is Generally Sound, But\n                           Improvements Can Be Made\n                               Report No. 105-2010\n\n                              EXHIBIT F\n                  OIG Mission and Contact Information\n\nAmtrak OIG\xe2\x80\x99s Mission       The Amtrak OIG\xe2\x80\x99s goals and perceptions of how it can best\n                           affect the OIG\xe2\x80\x99s mission, as spelled out in the Inspector\n                           General Act of 1978, as amended:\n\n                           \xef\x82\xa7  Conduct and supervise independent and objective audits\n                              inspections, evaluations, and investigations relating to\n                              agency programs and operations;\n                           \xef\x82\xa7 Promote economy, effectiveness and efficiency within\n                              Amtrak and the OIG;\n                           \xef\x82\xa7 Prevent and detect fraud, waste and abuse in Amtrak\n                              programs and operations;\n                           \xef\x82\xa7 Review security and safety policies and programs;\n                           \xef\x82\xa7 Make recommendations regarding existing and proposed\n                              legislation and regulations relating to Amtrak\'s programs\n                              and operations; and\n                           \xef\x82\xa7 Keep the head of Amtrak and Congress fully and currently\n                              informed of problems in company programs and\n                              operations.\nObtaining Copies of OIG    To obtain copies of OIG documents at no cost, go to Amtrak\nReports and Testimonies    OIG\xe2\x80\x99s Web site (www.amtrakoig.gov).\nTo Report Fraud, Waste,    Help prevent fraud, waste, and abuse by reporting suspicious\nand Abuse                  or illegal activities to the OIG Hotline:\n\n                             Web:      https://www.amtrakoig.gov/hotline\n                             Phone: (800) 468 5469\nCongressional Affairs      E. Bret Coulson\n                           Assistant Inspector General for Management and Policy\n                             Mail:      Amtrak OIG\n                                        10 G Street, N.E.\n                                        Drop Box: 3W-159\n                                        Washington, DC 20002\n                             Phone:     (202) 906 4134\n                             Email:     coulsob@amtrak.com\n\n\n\n\n                                        34\n\x0c'